am-mock-api-0.0.0.tgz: 2 vulnerabilities (highest severity is: 7.5) #505
Description
Vulnerable Library - am-mock-api-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: cb7b20c159ac2c1b8ff9453b332c9ed1e672d256
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (am-mock-api version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-15284 |  High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-13466 |  Medium |
5.8 | body-parser-2.2.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-15284
Vulnerable Libraries - qs-6.14.0.tgz, qs-6.13.0.tgz
qs-6.14.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- am-mock-api-0.0.0.tgz (Root Library)
- body-parser-2.2.0.tgz
- ❌ qs-6.14.0.tgz (Vulnerable Library)
- body-parser-2.2.0.tgz
qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- am-mock-api-0.0.0.tgz (Root Library)
- express-4.21.2.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
- express-4.21.2.tgz
Found in HEAD commit: cb7b20c159ac2c1b8ff9453b332c9ed1e672d256
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution: qs - 6.14.1,qs - 6.14.1,https://github.com/ljharb/qs.git - v6.14.1
CVE-2025-13466
Vulnerable Library - body-parser-2.2.0.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- am-mock-api-0.0.0.tgz (Root Library)
- ❌ body-parser-2.2.0.tgz (Vulnerable Library)
Found in HEAD commit: cb7b20c159ac2c1b8ff9453b332c9ed1e672d256
Found in base branch: main
Vulnerability Details
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
This issue is addressed in version 2.2.1.
Publish Date: 2025-11-24
URL: CVE-2025-13466
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-24
Fix Resolution: https://github.com/expressjs/body-parser.git - v2.2.1,body-parser - 2.2.1